<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 5.4.2">
  <link rel="apple-touch-icon" sizes="180x180" href="/images/avatar.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/avatar.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/avatar.png">
  <link rel="mask-icon" href="/images/avatar.png" color="#222">

<link rel="stylesheet" href="/css/main.css">


<link rel="stylesheet" href="/lib/font-awesome/css/all.min.css">
  <link rel="stylesheet" href="//cdn.jsdelivr.net/gh/fancyapps/fancybox@3/dist/jquery.fancybox.min.css">

<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"notes.maxwi.com","root":"/","scheme":"Mist","version":"7.8.0","exturl":false,"sidebar":{"position":"right","display":"post","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":false,"show_result":false,"style":null},"back2top":{"enable":true,"sidebar":false,"scrollpercent":false},"bookmark":{"enable":true,"color":"#222","save":"auto"},"fancybox":true,"mediumzoom":false,"lazyload":true,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":true,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":true,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":false,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},"path":"search.xml"};
  </script>

  <meta name="description" content="UFW，即Uncomplicated Firewall，是基于iptables实现的防火墙管理工具，所以实际上UFW修改的是iptables的规则。之所以不直接使用iptables，而要通过UFW进行管理是因为iptables的规则对于新手入门来说有点难，UFW做了很好的包装。">
<meta property="og:type" content="article">
<meta property="og:title" content="Linux实用工具总结之UFW">
<meta property="og:url" content="http://notes.maxwi.com/2017/01/19/linux-command-tools-ufw/index.html">
<meta property="og:site_name" content="blueyi&#39;s notes">
<meta property="og:description" content="UFW，即Uncomplicated Firewall，是基于iptables实现的防火墙管理工具，所以实际上UFW修改的是iptables的规则。之所以不直接使用iptables，而要通过UFW进行管理是因为iptables的规则对于新手入门来说有点难，UFW做了很好的包装。">
<meta property="og:locale" content="en_US">
<meta property="article:published_time" content="2017-01-19T01:34:02.000Z">
<meta property="article:modified_time" content="2017-01-19T01:34:02.000Z">
<meta property="article:author" content="blueyi">
<meta property="article:tag" content="UFW">
<meta property="article:tag" content="iptables">
<meta name="twitter:card" content="summary">

<link rel="canonical" href="http://notes.maxwi.com/2017/01/19/linux-command-tools-ufw/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'en'
  };
</script>

  <title>Linux实用工具总结之UFW | blueyi's notes</title>
  






  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

<link rel="alternate" href="/atom.xml" title="blueyi's notes" type="application/atom+xml">
<link rel="alternate" href="/rss2.xml" title="blueyi's notes" type="application/rss+xml">
</head>

<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="Toggle navigation bar">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <h1 class="site-title">blueyi's notes</h1>
      <span class="logo-line-after"><i></i></span>
    </a>
      <p class="site-subtitle" itemprop="description">Follow Excellence,Success will chase you!</p>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
        <i class="fa fa-search fa-fw fa-lg"></i>
    </div>
  </div>
</div>




<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/" rel="section"><i class="fa fa-home fa-fw"></i>Home</a>

  </li>
        <li class="menu-item menu-item-categories">

    <a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>Categories</a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>Archives</a>

  </li>
        <li class="menu-item menu-item-tags">

    <a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>Tags</a>

  </li>
        <li class="menu-item menu-item-about">

    <a href="/about/" rel="section"><i class="fa fa-user fa-fw"></i>About</a>

  </li>
      <li class="menu-item menu-item-search">
        <a role="button" class="popup-trigger"><i class="fa fa-search fa-fw"></i>Search
        </a>
      </li>
  </ul>
</nav>



  <div class="search-pop-overlay">
    <div class="popup search-popup">
        <div class="search-header">
  <span class="search-icon">
    <i class="fa fa-search"></i>
  </span>
  <div class="search-input-container">
    <input autocomplete="off" autocapitalize="off"
           placeholder="Searching..." spellcheck="false"
           type="search" class="search-input">
  </div>
  <span class="popup-btn-close">
    <i class="fa fa-times-circle"></i>
  </span>
</div>
<div id="search-result">
  <div id="no-result">
    <i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>
  </div>
</div>

    </div>
  </div>

</div>
    </header>

    
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>
  <div class="reading-progress-bar"></div>
  <a role="button" class="book-mark-link book-mark-link-fixed"></a>


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content post posts-expand">
            

    
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="en">
    <link itemprop="mainEntityOfPage" href="http://notes.maxwi.com/2017/01/19/linux-command-tools-ufw/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/default_avatar.jpg">
      <meta itemprop="name" content="blueyi">
      <meta itemprop="description" content="心怀善意，虛怀若谷！">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="blueyi's notes">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          Linux实用工具总结之UFW
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">Posted on</span>

              <time title="Created: 2017-01-19 09:34:02" itemprop="dateCreated datePublished" datetime="2017-01-19T09:34:02+08:00">2017-01-19</time>
            </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">In</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/Linux/" itemprop="url" rel="index"><span itemprop="name">Linux</span></a>
                </span>
            </span>

          <br>
            <span class="post-meta-item" title="Symbols count in article">
              <span class="post-meta-item-icon">
                <i class="far fa-file-word"></i>
              </span>
                <span class="post-meta-item-text">Symbols count in article: </span>
              <span>4k</span>
            </span>
            <span class="post-meta-item" title="Reading time">
              <span class="post-meta-item-icon">
                <i class="far fa-clock"></i>
              </span>
                <span class="post-meta-item-text">Reading time &asymp;</span>
              <span>4 mins.</span>
            </span>

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
        <p>UFW，即Uncomplicated Firewall，是基于iptables实现的防火墙管理工具，所以实际上UFW修改的是iptables的规则。之所以不直接使用iptables，而要通过UFW进行管理是因为iptables的规则对于新手入门来说有点难，UFW做了很好的包装。</p>
<span id="more"></span>
<p>本文测试环境为Ubuntu 16.04，其他系统可做参考。</p>
<h1 id="安装"><a href="#安装" class="headerlink" title="安装"></a>安装</h1><p>Ubuntu系统默认已经安装了UFW，如果没有ufw，可以手动安装：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo apt-get update</span></span><br><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo apt-get install ufw</span></span><br></pre></td></tr></table></figure>

<h1 id="基础配置"><a href="#基础配置" class="headerlink" title="基础配置"></a>基础配置</h1><h2 id="允许UFW管理IPV6"><a href="#允许UFW管理IPV6" class="headerlink" title="允许UFW管理IPV6"></a>允许UFW管理IPV6</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo vim /etc/default/ufw</span><br></pre></td></tr></table></figure>
<p>确保你的IPV6选项为yes即可：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">...</span><br><span class="line">IPV6=yes</span><br><span class="line">...</span><br></pre></td></tr></table></figure>

<h2 id="设置默认规则"><a href="#设置默认规则" class="headerlink" title="设置默认规则"></a>设置默认规则</h2><p>UFW默认情况下允许所有的出站连接，拒绝所有的入站连接，所以这里首先将UFW设置为默认规则：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw default deny incoming</span></span><br><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw default allow outgoing</span></span><br></pre></td></tr></table></figure>
<p><code>ufw default</code>也允许使用<code>reject</code>参数</p>
<h2 id="允许SSH连接"><a href="#允许SSH连接" class="headerlink" title="允许SSH连接"></a>允许SSH连接</h2><p>一旦启用UFW之后，如果没有允许SSH连接，将无法再通过SSH远程访问主机，所以在开启防火墙之后要确认SSH连接已经设置为允许：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw allow ssh</span></span><br></pre></td></tr></table></figure>
<p>这里创建一条规则，允许ssh连接，其实是允许22端口的连接，等价于：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw allow 22</span></span><br></pre></td></tr></table></figure>
<p>UFW通过<code>/etc/services</code>知道ssh服务使用的默认端口为22，如果你的SSH服务使用的端口不是22，则应该修改为相应 的端口号。</p>
<h2 id="查看防火墙状态"><a href="#查看防火墙状态" class="headerlink" title="查看防火墙状态"></a>查看防火墙状态</h2><p>通过以下命令查看防火墙状态：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw status verbose</span></span><br></pre></td></tr></table></figure>
<p>也可以不带verbose，当防火墙处于关闭状态时只会显示<code>inactive</code><br>可以查看刚刚添加的防火墙规则：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw show added</span></span><br></pre></td></tr></table></figure>
<p>show后面还可以跟其他几项参数，可以通过man手册查看<code>REPORTS</code></p>
<h1 id="启用-禁用UFW"><a href="#启用-禁用UFW" class="headerlink" title="启用/禁用UFW"></a>启用/禁用UFW</h1><p>启用UFW命令：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw <span class="built_in">enable</span></span></span><br></pre></td></tr></table></figure>
<p>该命令默认会将UFW设置为开机启动，如果发现重启后UFW并没有自动启动，可以手动设置UFW服务开机自动启动：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo systemctl start ufw</span></span><br><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo systemctl <span class="built_in">enable</span> ufw</span></span><br></pre></td></tr></table></figure>

<p>记得查看防火墙当前的状态：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw status</span></span><br><span class="line">Status: active</span><br><span class="line"></span><br><span class="line">To                         Action      From</span><br><span class="line">--                         ------      ----</span><br><span class="line">22                         ALLOW       Anywhere</span><br><span class="line">22 (v6)                    ALLOW       Anywhere (v6) </span><br></pre></td></tr></table></figure>


<p>禁用UFW：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw <span class="built_in">disable</span></span></span><br></pre></td></tr></table></figure>
<p>该命令会禁用防火墙并关闭其开机自动启动</p>
<h1 id="启用-禁用防火墙日志"><a href="#启用-禁用防火墙日志" class="headerlink" title="启用/禁用防火墙日志"></a>启用/禁用防火墙日志</h1><p>启用防火墙日志：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw logging on</span></span><br></pre></td></tr></table></figure>
<p>可以指定日志级别<code>sudo ufw logging low|medium|high</code><br>日志文件在<code>/var/log/ufw.log</code><br>内容形如：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Sep 16 15:08:14 &lt;hostname&gt; kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=123.45.67.89 DST=987.65.43.21 LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=8475 PROTO=TCP SPT=48247 DPT=22 WINDOW=1024 RES=0x00 SYN URGP=0</span><br></pre></td></tr></table></figure>
<p>其中前面列出了主机防火墙日志的日期、时间、主机名，后面的内容意思是：</p>
<ul>
<li>[UFW BLOCK]：表示事件描述的开始以及是何种事件。在此例中，它表示阻止了连接。</li>
<li>IN：如果它包含一个值，那么代表该事件是传入事件</li>
<li>OUT：如果它包含一个值，那么代表事件是传出事件</li>
<li>MAC：目的地和源 MAC 地址的组合</li>
<li>SRC：IP数据包的源IP</li>
<li>DST：目的地的IP</li>
<li>LEN：数据包长度</li>
<li>TTL：数据 TTL，或称为time to live。</li>
<li>PROTO：数据包的协议</li>
<li>SPT：数据包的源端口</li>
<li>DPT：目标端口</li>
<li>WINDOW：发送方可以接收的数据包的大小</li>
<li>SYN URGP：指示是否需要三次握手。 0 表示不需要。</li>
</ul>
<p>禁用防火墙日志：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw logging off</span></span><br></pre></td></tr></table></figure>

<h1 id="允许连接"><a href="#允许连接" class="headerlink" title="允许连接"></a>允许连接</h1><p>默认情况下ufw的allow不加in允许连接是指允许入站连接，如果要指定允许出站，可以加上out，如：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">$ sudo ufw allow in port #允许port入站</span><br><span class="line">$ sudo ufw allow out port #允许port出站</span><br></pre></td></tr></table></figure>
<h2 id="允许指定端口的所有连接协议"><a href="#允许指定端口的所有连接协议" class="headerlink" title="允许指定端口的所有连接协议"></a>允许指定端口的所有连接协议</h2><p>通过刚才设置ssh的规则，可以知道直接allow就是允许连接<br>允许HTTP 80端口的所有连接：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw allow http</span></span><br></pre></td></tr></table></figure>
<p>等价于：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw allow 80</span></span><br></pre></td></tr></table></figure>
<p>同样可以允许https的连接：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw allow https</span></span><br></pre></td></tr></table></figure>
<p>等价于：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw allow 443</span></span><br></pre></td></tr></table></figure>
<h2 id="允许指定端口的指定协议连接"><a href="#允许指定端口的指定协议连接" class="headerlink" title="允许指定端口的指定协议连接"></a>允许指定端口的指定协议连接</h2><p>FTP默认端口为21，连接协议为tcp，那么可以这样：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw allow ftp</span></span><br></pre></td></tr></table></figure>
<p>等价于：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw allow 21/tcp</span></span><br></pre></td></tr></table></figure>

<h2 id="允许指定范围内的端口的指定协议的连接"><a href="#允许指定范围内的端口的指定协议的连接" class="headerlink" title="允许指定范围内的端口的指定协议的连接"></a>允许指定范围内的端口的指定协议的连接</h2><p>例如，X11的连接端口范围是6000-6007：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw allow 6000:6007/tcp</span></span><br><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw allow 6000:6007/udp</span></span><br></pre></td></tr></table></figure>

<h2 id="允许指定IP的连接"><a href="#允许指定IP的连接" class="headerlink" title="允许指定IP的连接"></a>允许指定IP的连接</h2><p>通过查看防火墙状态可以看出有个From：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw status</span></span><br><span class="line">Status: active</span><br><span class="line"></span><br><span class="line">To                         Action      From</span><br><span class="line">--                         ------      ----</span><br><span class="line">22                         ALLOW       Anywhere                  </span><br><span class="line">21/tcp                     ALLOW       Anywhere                  </span><br><span class="line">22 (v6)                    ALLOW       Anywhere (v6)             </span><br><span class="line">21/tcp (v6)                ALLOW       Anywhere (v6)  </span><br></pre></td></tr></table></figure>
<p>默认情况是相应端口允许所有IP的连接，可以通过后跟from指定允许某IP的所有连接：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw allow from 15.15.15.51</span></span><br></pre></td></tr></table></figure>
<p>允许15.15.15.51的所有入站连接，命令后面跟<code>to any port 22</code>允许端口22的所有连接：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw allow from 15.15.15.51 to any port 22</span></span><br></pre></td></tr></table></figure>

<h2 id="允许子网的连接"><a href="#允许子网的连接" class="headerlink" title="允许子网的连接"></a>允许子网的连接</h2><p>如果要允许IP段<code>15.15.15.1</code>到<code>15.15.15.254</code>的所有连接：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw allow from 15.15.15.0/24</span></span><br></pre></td></tr></table></figure>
<p>并指定连接端口：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw allow from 15.15.15.0/24 to any port 22</span></span><br></pre></td></tr></table></figure>

<h2 id="指定允许通过某个网卡的连接"><a href="#指定允许通过某个网卡的连接" class="headerlink" title="指定允许通过某个网卡的连接"></a>指定允许通过某个网卡的连接</h2><p>通过命令中加入<code>allow in on</code>即可<br>首先查看系统中的所有网卡：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">ip addr</span></span><br></pre></td></tr></table></figure>
<p>或者：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">ifconfig</span></span><br></pre></td></tr></table></figure>
<p>假设这里允许eth0的80端口连接：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw allow <span class="keyword">in</span> on eth0 to any port 80</span></span><br></pre></td></tr></table></figure>

<h2 id="允许出站连接"><a href="#允许出站连接" class="headerlink" title="允许出站连接"></a>允许出站连接</h2><p>允许相应端口的出站连接，直接allow后面跟out即可：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw allow out 34</span></span><br></pre></td></tr></table></figure>

<h1 id="拒绝连接"><a href="#拒绝连接" class="headerlink" title="拒绝连接"></a>拒绝连接</h1><p>与允许连接一样，只需要将相应的allow换成<code>deny</code>即可，如拒绝http端口的所有连接：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw deny http</span></span><br></pre></td></tr></table></figure>
<p>等价于：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw deny 80</span></span><br></pre></td></tr></table></figure>

<p>拒绝指定ip的连接：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw deny from 15.15.15.51</span></span><br></pre></td></tr></table></figure>

<h1 id="删除规则"><a href="#删除规则" class="headerlink" title="删除规则"></a>删除规则</h1><p>UFW有两种方式删除防火墙规则，既可以通过规则号删除，也可以通过实际规则删除，通过规则号删除更容易。</p>
<h2 id="通过规则号删除"><a href="#通过规则号删除" class="headerlink" title="通过规则号删除"></a>通过规则号删除</h2><p>首先查看所有规则的规则号：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw status numbered</span></span><br><span class="line">Status: active</span><br><span class="line"></span><br><span class="line">     To                         Action      From</span><br><span class="line">     --                         ------      ----</span><br><span class="line">[ 1] 22                         ALLOW IN    Anywhere                  </span><br><span class="line">[ 2] 21/tcp                     ALLOW IN    Anywhere                  </span><br><span class="line">[ 3] 34                         ALLOW IN    Anywhere                  </span><br><span class="line">[ 4] 34                         ALLOW OUT   Anywhere                   (out)</span><br><span class="line">[ 5] 22                         ALLOW OUT   15.15.15.51                (out)</span><br><span class="line">[ 6] 22 (v6)                    ALLOW IN    Anywhere (v6)             </span><br><span class="line">[ 7] 21/tcp (v6)                ALLOW IN    Anywhere (v6)             </span><br><span class="line">[ 8] 34 (v6)                    ALLOW IN    Anywhere (v6)             </span><br><span class="line">[ 9] 34 (v6)                    ALLOW OUT   Anywhere (v6)              (out)</span><br></pre></td></tr></table></figure>
<p>然后直接delete即可，例如删除ftp(21)的连接规则：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw delete 2</span></span><br><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw delete 7</span></span><br></pre></td></tr></table></figure>
<p>因为即有ipv6，又有ipv4，所以需要删除2个</p>
<h2 id="通过规则删除"><a href="#通过规则删除" class="headerlink" title="通过规则删除"></a>通过规则删除</h2><p>删除<code>allow http</code>规则：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw delete allow http</span></span><br></pre></td></tr></table></figure>
<p>等价于：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw delete allow 80</span></span><br></pre></td></tr></table></figure>


<h1 id="重置防火墙规则"><a href="#重置防火墙规则" class="headerlink" title="重置防火墙规则"></a>重置防火墙规则</h1><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ sudo ufw reset</span><br></pre></td></tr></table></figure>
<p>该命令将禁用UFW，并且删除所有已经定义的规则，不过默认该命令会对已经设置的规则进行备份</p>
<h1 id="备份-还原规则"><a href="#备份-还原规则" class="headerlink" title="备份/还原规则"></a>备份/还原规则</h1><p>UFW的所有规则文件都在路径<code>/etc/ufw/</code>，其中<code>before.rules</code>规则为UFW在运行用户自定义的规则之前运行的规则，相应的<code>before6.rules</code>对应IPV6。<code>after.rules</code>为UFW启用用户自定义规则之后运行的规则。<code>user.rules</code>即为用户自定义的规则。<br><code>/etc/default/ufw</code>文件为UFW的配置文件。<br>所以可以通过直接备份这些配置文件的方式来备份防火墙规则，需要备份的文件有：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">/etc/ufw/*.rules</span><br><span class="line">/lib/ufw/*.rules</span><br><span class="line">/etc/default/ufw  # 这个配置文件如果没有修改过，可以不备份</span><br></pre></td></tr></table></figure>
<p>修改配置文件之后通过以下命令重新加载配置文件：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">sudo ufw reload</span></span><br></pre></td></tr></table></figure>

<h1 id="其他"><a href="#其他" class="headerlink" title="其他"></a>其他</h1><h2 id="批量禁止IP"><a href="#批量禁止IP" class="headerlink" title="批量禁止IP"></a>批量禁止IP</h2><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash"><span class="keyword">while</span> <span class="built_in">read</span> line; <span class="keyword">do</span> sudo ufw deny from <span class="variable">$line</span>; <span class="keyword">done</span> &lt; file.txt</span></span><br></pre></td></tr></table></figure>
<p>file.txt里面是一个需要禁止的IP列表</p>
<p>参考：<br>1.<a target="_blank" rel="noopener" href="https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-16-04">How To Set Up a Firewall with UFW on Ubuntu</a><br>2.<a target="_blank" rel="noopener" href="https://wiki.ubuntu.com/UncomplicatedFirewall">UncomplicatedFirewall</a><br>3.<a target="_blank" rel="noopener" href="https://www.linode.com/docs/security/firewalls/configure-firewall-with-ufw">How to Configure a Firewall with UFW</a></p>

    </div>

    
    
    
        

  <div class="followme">
    <p>Welcome to my other publishing channels</p>

    <div class="social-list">

        <div class="social-item">
          <a target="_blank" class="social-link" href="/atom.xml">
            <span class="icon">
              <i class="fa fa-rss"></i>
            </span>

            <span class="label">RSS</span>
          </a>
        </div>
    </div>
  </div>


      <footer class="post-footer">
          <div class="post-tags">
              <a href="/tags/UFW/" rel="tag"># UFW</a>
              <a href="/tags/iptables/" rel="tag"># iptables</a>
          </div>

        


        
    <div class="post-nav">
      <div class="post-nav-item">
    <a href="/2016/12/23/cmake-tutorial/" rel="prev" title="CMake简单教程">
      <i class="fa fa-chevron-left"></i> CMake简单教程
    </a></div>
      <div class="post-nav-item">
    <a href="/2017/02/26/ubuntu-cuda8-env-set/" rel="next" title="Ubuntu 16.04下CUDA8环境配置的2种方法">
      Ubuntu 16.04下CUDA8环境配置的2种方法 <i class="fa fa-chevron-right"></i>
    </a></div>
    </div>
      </footer>
    
  </article>
  
  
  



          </div>
          
    <div class="comments" id="gitalk-container"></div>

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          Table of Contents
        </li>
        <li class="sidebar-nav-overview">
          Overview
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
          <div class="post-toc motion-element"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#%E5%AE%89%E8%A3%85"><span class="nav-number">1.</span> <span class="nav-text">安装</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#%E5%9F%BA%E7%A1%80%E9%85%8D%E7%BD%AE"><span class="nav-number">2.</span> <span class="nav-text">基础配置</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%85%81%E8%AE%B8UFW%E7%AE%A1%E7%90%86IPV6"><span class="nav-number">2.1.</span> <span class="nav-text">允许UFW管理IPV6</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E8%AE%BE%E7%BD%AE%E9%BB%98%E8%AE%A4%E8%A7%84%E5%88%99"><span class="nav-number">2.2.</span> <span class="nav-text">设置默认规则</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%85%81%E8%AE%B8SSH%E8%BF%9E%E6%8E%A5"><span class="nav-number">2.3.</span> <span class="nav-text">允许SSH连接</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E6%9F%A5%E7%9C%8B%E9%98%B2%E7%81%AB%E5%A2%99%E7%8A%B6%E6%80%81"><span class="nav-number">2.4.</span> <span class="nav-text">查看防火墙状态</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#%E5%90%AF%E7%94%A8-%E7%A6%81%E7%94%A8UFW"><span class="nav-number">3.</span> <span class="nav-text">启用&#x2F;禁用UFW</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#%E5%90%AF%E7%94%A8-%E7%A6%81%E7%94%A8%E9%98%B2%E7%81%AB%E5%A2%99%E6%97%A5%E5%BF%97"><span class="nav-number">4.</span> <span class="nav-text">启用&#x2F;禁用防火墙日志</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#%E5%85%81%E8%AE%B8%E8%BF%9E%E6%8E%A5"><span class="nav-number">5.</span> <span class="nav-text">允许连接</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%85%81%E8%AE%B8%E6%8C%87%E5%AE%9A%E7%AB%AF%E5%8F%A3%E7%9A%84%E6%89%80%E6%9C%89%E8%BF%9E%E6%8E%A5%E5%8D%8F%E8%AE%AE"><span class="nav-number">5.1.</span> <span class="nav-text">允许指定端口的所有连接协议</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%85%81%E8%AE%B8%E6%8C%87%E5%AE%9A%E7%AB%AF%E5%8F%A3%E7%9A%84%E6%8C%87%E5%AE%9A%E5%8D%8F%E8%AE%AE%E8%BF%9E%E6%8E%A5"><span class="nav-number">5.2.</span> <span class="nav-text">允许指定端口的指定协议连接</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%85%81%E8%AE%B8%E6%8C%87%E5%AE%9A%E8%8C%83%E5%9B%B4%E5%86%85%E7%9A%84%E7%AB%AF%E5%8F%A3%E7%9A%84%E6%8C%87%E5%AE%9A%E5%8D%8F%E8%AE%AE%E7%9A%84%E8%BF%9E%E6%8E%A5"><span class="nav-number">5.3.</span> <span class="nav-text">允许指定范围内的端口的指定协议的连接</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%85%81%E8%AE%B8%E6%8C%87%E5%AE%9AIP%E7%9A%84%E8%BF%9E%E6%8E%A5"><span class="nav-number">5.4.</span> <span class="nav-text">允许指定IP的连接</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%85%81%E8%AE%B8%E5%AD%90%E7%BD%91%E7%9A%84%E8%BF%9E%E6%8E%A5"><span class="nav-number">5.5.</span> <span class="nav-text">允许子网的连接</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E6%8C%87%E5%AE%9A%E5%85%81%E8%AE%B8%E9%80%9A%E8%BF%87%E6%9F%90%E4%B8%AA%E7%BD%91%E5%8D%A1%E7%9A%84%E8%BF%9E%E6%8E%A5"><span class="nav-number">5.6.</span> <span class="nav-text">指定允许通过某个网卡的连接</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%85%81%E8%AE%B8%E5%87%BA%E7%AB%99%E8%BF%9E%E6%8E%A5"><span class="nav-number">5.7.</span> <span class="nav-text">允许出站连接</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#%E6%8B%92%E7%BB%9D%E8%BF%9E%E6%8E%A5"><span class="nav-number">6.</span> <span class="nav-text">拒绝连接</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#%E5%88%A0%E9%99%A4%E8%A7%84%E5%88%99"><span class="nav-number">7.</span> <span class="nav-text">删除规则</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E9%80%9A%E8%BF%87%E8%A7%84%E5%88%99%E5%8F%B7%E5%88%A0%E9%99%A4"><span class="nav-number">7.1.</span> <span class="nav-text">通过规则号删除</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E9%80%9A%E8%BF%87%E8%A7%84%E5%88%99%E5%88%A0%E9%99%A4"><span class="nav-number">7.2.</span> <span class="nav-text">通过规则删除</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#%E9%87%8D%E7%BD%AE%E9%98%B2%E7%81%AB%E5%A2%99%E8%A7%84%E5%88%99"><span class="nav-number">8.</span> <span class="nav-text">重置防火墙规则</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#%E5%A4%87%E4%BB%BD-%E8%BF%98%E5%8E%9F%E8%A7%84%E5%88%99"><span class="nav-number">9.</span> <span class="nav-text">备份&#x2F;还原规则</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#%E5%85%B6%E4%BB%96"><span class="nav-number">10.</span> <span class="nav-text">其他</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E6%89%B9%E9%87%8F%E7%A6%81%E6%AD%A2IP"><span class="nav-number">10.1.</span> <span class="nav-text">批量禁止IP</span></a></li></ol></li></ol></div>
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
    <img class="site-author-image" itemprop="image" alt="blueyi"
      src="/images/default_avatar.jpg">
  <p class="site-author-name" itemprop="name">blueyi</p>
  <div class="site-description" itemprop="description">心怀善意，虛怀若谷！</div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/archives/">
        
          <span class="site-state-item-count">104</span>
          <span class="site-state-item-name">posts</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
            <a href="/categories/">
          
        <span class="site-state-item-count">26</span>
        <span class="site-state-item-name">categories</span></a>
      </div>
      <div class="site-state-item site-state-tags">
            <a href="/tags/">
          
        <span class="site-state-item-count">68</span>
        <span class="site-state-item-name">tags</span></a>
      </div>
  </nav>
</div>
  <div class="links-of-author motion-element">
      <span class="links-of-author-item">
        <a href="https://github.com/blueyi" title="GitHub → https:&#x2F;&#x2F;github.com&#x2F;blueyi" rel="noopener" target="_blank"><i class="fab fa-github fa-fw"></i>GitHub</a>
      </span>
  </div>


  <div class="links-of-blogroll motion-element">
    <div class="links-of-blogroll-title"><i class="fa fa-link fa-fw"></i>
      Links
    </div>
    <ul class="links-of-blogroll-list">
        <li class="links-of-blogroll-item">
          <a href="http://maxwi.com/" title="http:&#x2F;&#x2F;maxwi.com" rel="noopener" target="_blank">Maxwi</a>
        </li>
    </ul>
  </div>

      </div>

    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        

<div class="copyright">
  
  &copy; 2014 – 
  <span itemprop="copyrightYear">2022</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">blueyi</span>
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item-icon">
      <i class="fa fa-chart-area"></i>
    </span>
    <span title="Symbols count total">750k</span>
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item-icon">
      <i class="fa fa-coffee"></i>
    </span>
    <span title="Reading time total">11:22</span>
</div>
  <div class="powered-by">Powered by <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://mist.theme-next.org/" class="theme-link" rel="noopener" target="_blank">NexT.Mist</a>
  </div>

        








      </div>
    </footer>
  </div>

  
  <script src="/lib/anime.min.js"></script>
  <script src="/lib/pjax/pjax.min.js"></script>
  <script src="//cdn.jsdelivr.net/npm/jquery@3/dist/jquery.min.js"></script>
  <script src="//cdn.jsdelivr.net/gh/fancyapps/fancybox@3/dist/jquery.fancybox.min.js"></script>
  <script src="//cdn.jsdelivr.net/npm/lozad@1/dist/lozad.min.js"></script>

<script src="/js/utils.js"></script>


<script src="/js/schemes/muse.js"></script>


<script src="/js/next-boot.js"></script>

<script src="/js/bookmark.js"></script>

  <script>
var pjax = new Pjax({
  selectors: [
    'head title',
    '#page-configurations',
    '.content-wrap',
    '.post-toc-wrap',
    '.languages',
    '#pjax'
  ],
  switches: {
    '.post-toc-wrap': Pjax.switches.innerHTML
  },
  analytics: false,
  cacheBust: false,
  scrollTo : !CONFIG.bookmark.enable
});

window.addEventListener('pjax:success', () => {
  document.querySelectorAll('script[data-pjax], script#page-configurations, #pjax script').forEach(element => {
    var code = element.text || element.textContent || element.innerHTML || '';
    var parent = element.parentNode;
    parent.removeChild(element);
    var script = document.createElement('script');
    if (element.id) {
      script.id = element.id;
    }
    if (element.className) {
      script.className = element.className;
    }
    if (element.type) {
      script.type = element.type;
    }
    if (element.src) {
      script.src = element.src;
      // Force synchronous loading of peripheral JS.
      script.async = false;
    }
    if (element.dataset.pjax !== undefined) {
      script.dataset.pjax = '';
    }
    if (code !== '') {
      script.appendChild(document.createTextNode(code));
    }
    parent.appendChild(script);
  });
  NexT.boot.refresh();
  // Define Motion Sequence & Bootstrap Motion.
  if (CONFIG.motion.enable) {
    NexT.motion.integrator
      .init()
      .add(NexT.motion.middleWares.subMenu)
      .add(NexT.motion.middleWares.postList)
      .bootstrap();
  }
  NexT.utils.updateSidebarPosition();
});
</script>




  
  <script data-pjax>
    (function(){
      var canonicalURL, curProtocol;
      //Get the <link> tag
      var x=document.getElementsByTagName("link");
		//Find the last canonical URL
		if(x.length > 0){
			for (i=0;i<x.length;i++){
				if(x[i].rel.toLowerCase() == 'canonical' && x[i].href){
					canonicalURL=x[i].href;
				}
			}
		}
    //Get protocol
	    if (!canonicalURL){
	    	curProtocol = window.location.protocol.split(':')[0];
	    }
	    else{
	    	curProtocol = canonicalURL.split(':')[0];
	    }
      //Get current URL if the canonical URL does not exist
	    if (!canonicalURL) canonicalURL = window.location.href;
	    //Assign script content. Replace current URL with the canonical URL
      !function(){var e=/([http|https]:\/\/[a-zA-Z0-9\_\.]+\.baidu\.com)/gi,r=canonicalURL,t=document.referrer;if(!e.test(r)){var n=(String(curProtocol).toLowerCase() === 'https')?"https://sp0.baidu.com/9_Q4simg2RQJ8t7jm9iCKT-xh_/s.gif":"//api.share.baidu.com/s.gif";t?(n+="?r="+encodeURIComponent(document.referrer),r&&(n+="&l="+r)):r&&(n+="?l="+r);var i=new Image;i.src=n}}(window);})();
  </script>




  
<script src="/js/local-search.js"></script>













    <div id="pjax">
  

  

<link rel="stylesheet" href="//cdn.jsdelivr.net/npm/gitalk@1/dist/gitalk.min.css">

<script>
NexT.utils.loadComments(document.querySelector('#gitalk-container'), () => {
  NexT.utils.getScript('//cdn.jsdelivr.net/npm/gitalk@1/dist/gitalk.min.js', () => {
    var gitalk = new Gitalk({
      clientID    : '0f8243eb2c8b2207980f',
      clientSecret: 'd159633a33519d3b7a48b0ca729032f7d1f38a41',
      repo        : 'notes',
      owner       : 'blueyi',
      admin       : ['blueyi'],
      id          : 'f63e0e333e3c91c561ac401c5f114c9e',
        language: '',
      distractionFreeMode: true
    });
    gitalk.render('gitalk-container');
  }, window.Gitalk);
});
</script>

    </div>
</body>
</html>
